Encode params in URLSearchParams

luluwu2032 · facebook-github-bot · commit 1042a8012fb4 · 2022-03-11T16:26:48.000-08:00
Summary: URL params are not encoded which could cause a security risk, for more details pls see https://fb.workplace.com/groups/react.technologies.discussions/permalink/3184249088473474/ Changelog: [General][Security] - Encode URL params in URLSearchParams.toString() Reviewed By: yungsters Differential Revision: D34415119 fbshipit-source-id: 83c29df9427ad0adc9b6a2b4d0ff5494247aa5cb
diff --git a/Libraries/Blob/URL.js b/Libraries/Blob/URL.js
@@ -101,7 +101,13 @@ export class URLSearchParams {
     }
     const last = this._searchParams.length - 1;
     return this._searchParams.reduce((acc, curr, index) => {
-      return acc + curr.join('=') + (index === last ? '' : '&');
+      return (
+        acc +
+        encodeURIComponent(curr[0]) +
+        '=' +
+        encodeURIComponent(curr[1]) +
+        (index === last ? '' : '&')
+      );
     }, '');
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,13 @@ export class URLSearchParams {`
`101`	`101`	`}`
`102`	`102`	`const last = this._searchParams.length - 1;`
`103`	`103`	`return this._searchParams.reduce((acc, curr, index) => {`
`104`		`- return acc + curr.join('=') + (index === last ? '' : '&');`
	`104`	`+ return (`
	`105`	`+ acc +`
	`106`	`+ encodeURIComponent(curr[0]) +`
	`107`	`+ '=' +`
	`108`	`+ encodeURIComponent(curr[1]) +`
	`109`	`+ (index === last ? '' : '&')`
	`110`	`+ );`
`105`	`111`	`}, '');`
`106`	`112`	`}`
`107`	`113`	`}`